main/nodejs-lts: use system-provided CA certificates

author: Jakub Jirutka <jakub@jirutka.cz> 2016-11-26 01:42:42 +0100
committer: Jakub Jirutka <jakub@jirutka.cz> 2016-11-26 02:23:22 +0100
commit: 1fc05d8d4246c31c785f0f4b8476a6cdc0724267 (patch)
tree: 0c693d649bf15de9b611525d50f6baa81fa10633
parent: de45c93dd48decf6e9cfe483c845be35bdf6c38a (diff)
2 files changed, 93 insertions, 6 deletions
diff --git a/main/nodejs-lts/APKBUILD b/main/nodejs-lts/APKBUILD
index 56c9faefb5d..c9214cdf004 100644
--- a/main/nodejs-lts/APKBUILD
+++ b/main/nodejs-lts/APKBUILD
@@ -1,21 +1,30 @@
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Contributor: Jose-Luis Rivas <ghostbar@riseup.net>
+# Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Eivind Uggedal <eivind@uggedal.com>
 pkgname=nodejs-lts
 pkgver=6.9.1
-pkgrel=0
+pkgrel=1
 pkgdesc="JavaScript runtime built on V8 engine - LTS version"
 url="http://nodejs.org/"
 arch="all"
 license="MIT"
 # gold is needed for mksnapshot
 makedepends="python2 openssl-dev zlib-dev libuv-dev linux-headers paxmark
-	binutils-gold http-parser-dev"
+	binutils-gold http-parser-dev ca-certificates"
 subpackages="$pkgname-dev $pkgname-doc"
 replaces="nodejs"
-source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz"
+source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
+	use-system-ca-certs.patch"
 builddir="$srcdir/node-v$pkgver"
 
+prepare() {
+	default_prepare || return 1
+
+	# Remove bundled CA certificates.
+	rm -f src/node_root_certs.h
+}
+
 build() {
         cd "$builddir"
 
@@ -45,6 +54,9 @@ package() {
 	done
 }
 
-md5sums="0d3117846c6704b36108fcdbf30e03c1  node-v6.9.1.tar.gz"
-sha256sums="a98997ca3a4d10751f0ebe97839b2308a31ae884b4203cda0c99cf36bc7fe3bf  node-v6.9.1.tar.gz"
-sha512sums="71a6e081006c8b77f34b5cc26b76c56944b4de77d7ed5e6068c72dbaf49fc18ed2894231f6a5cd0308c40e95c2e1eb5ee2abd1470fd646bb8db3b230913c5014  node-v6.9.1.tar.gz"
+md5sums="0d3117846c6704b36108fcdbf30e03c1  node-v6.9.1.tar.gz
+14ce8e0fb44d5bf75974026900e0d8c2  use-system-ca-certs.patch"
+sha256sums="a98997ca3a4d10751f0ebe97839b2308a31ae884b4203cda0c99cf36bc7fe3bf  node-v6.9.1.tar.gz
+fcd2becd2cb9a62537ae11f51f448fd1061aaae17835bb0f2d2aa71bdf9652c0  use-system-ca-certs.patch"
+sha512sums="71a6e081006c8b77f34b5cc26b76c56944b4de77d7ed5e6068c72dbaf49fc18ed2894231f6a5cd0308c40e95c2e1eb5ee2abd1470fd646bb8db3b230913c5014  node-v6.9.1.tar.gz
+c540878495761f4c38f3cccd61da75fa5619637ba9887b7946964a7cef790178e26678fe0aabe400e32c8f0f65e97a519ceee1534bbf18a1a14bc6e9fe067637  use-system-ca-certs.patch"
diff --git a/main/nodejs-lts/use-system-ca-certs.patch b/main/nodejs-lts/use-system-ca-certs.patch
new file mode 100644
index 00000000000..014b1cedf12
--- /dev/null
+++ b/main/nodejs-lts/use-system-ca-certs.patch
@@ -0,0 +1,75 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Sat, 26 Nov 2016 01:32:00 +0200
+Subject: Use system-provided CA certificates instead of bundled ones
+
+Forwarded: need some feedback before submitting the matter upstream
+Author: Jérémy Lal <kapouer@melix.org>
+Last-Update: 2014-03-02
+
+Modified 2014-05-02 by T.C. Hollingsworth <tchollingsworth@gmail.com> with the
+correct path for Fedora
+
+Modified 2015-12-01 by Stephen Gallagher <sgallagh@redhat.com> to update for
+Node.js 4.2
+
+Modified 2016-03-04 by Stephen Gallagher <sgallagh@redhat.com> to update for
+Node.js 5.4.1
+
+Modified 2016-07-26 by Haikel Guemar <hguemar@fedoraproject.org> to update for
+Node.js 4.4.7
+
+Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> for Alpine Linux
+
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -192,8 +192,8 @@ static X509_NAME *cnnic_ev_name =
+ 
+ static Mutex* mutexes;
+ 
+-const char* const root_certs[] = {
+-#include "node_root_certs.h"  // NOLINT(build/include_order)
++const char* root_certs[] = {
++  NULL
+ };
+ 
+ X509_STORE* root_cert_store;
+@@ -847,29 +847,17 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
+   CHECK_EQ(sc->ca_store_, nullptr);
+ 
+   if (!root_cert_store) {
+-    root_cert_store = X509_STORE_new();
+-
+-    for (size_t i = 0; i < arraysize(root_certs); i++) {
+-      BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
+-      if (bp == nullptr) {
+-        return;
+-      }
+-
+-      X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr);
+-      if (x509 == nullptr) {
+-        BIO_free_all(bp);
+-        return;
+-      }
+-
+-      X509_STORE_add_cert(root_cert_store, x509);
+-
+-      BIO_free_all(bp);
+-      X509_free(x509);
++    if (SSL_CTX_load_verify_locations(sc->ctx_, "/etc/ssl/certs/ca-certificates.crt", NULL) == 1) {
++      root_cert_store = SSL_CTX_get_cert_store(sc->ctx_);
++    } else {
++      // empty store
++      root_cert_store = X509_STORE_new();
+     }
++  } else {
++    SSL_CTX_set_cert_store(sc->ctx_, root_cert_store);
+   }
+ 
+   sc->ca_store_ = root_cert_store;
+-  SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
+ }
+ 
+ 
+-- 
+2.9.0
+
author	Jakub Jirutka <jakub@jirutka.cz>	2016-11-26 01:42:42 +0100
committer	Jakub Jirutka <jakub@jirutka.cz>	2016-11-26 02:23:22 +0100
commit	1fc05d8d4246c31c785f0f4b8476a6cdc0724267 (patch)
tree	0c693d649bf15de9b611525d50f6baa81fa10633
parent	de45c93dd48decf6e9cfe483c845be35bdf6c38a (diff)